Beruflich Dokumente
Kultur Dokumente
VERSION5.2.3
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
ENDUSER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
TABLEOFCONTENTS
Change Log
Introduction
11
12
12
13
13
14
14
14
15
15
15
15
16
16
16
17
17
17
17
18
Add a warning when using deep SSL inspection mode on security policy and SSL profile
pages
Improve FSSO group GUI
Add Log Rate stats to System Resources widget
Add a command to export logs on local disk to external USB
Improve FortiView performance and add System Events, Admin Logins, and VPN
Integrate vmtools for FortiGate VMWare platforms
Top Features
Unified Policy Management
FortiView Dashboards
SSL Inspection
Web Filtering
Application Control
IPsec VPN Creation Wizard
Captive Portal
FortiAP Management
25
25
25
25
26
26
27
27
28
28
28
28
29
29
29
29
30
30
31
31
32
32
32
32
33
34
34
35
35
35
35
36
37
37
37
38
38
38
38
39
39
Flow-based Antivirus
FortiExtender Support
Using a Virtual WAN Link for Redundant Internet Connections
Internet Key Exchange (IKE)
SSL VPN Creation
On-Net Status for FortiClient Devices
System Features
FortiExtender Support
Using a Virtual WAN Link for Redundant Internet Connections
Setting Up a Virtual WAN Link
Setting Up Virtual WAN Link Load Balancing
Directing Traffic to Higher Quality Links
Measured Volume Based Distribution
The Link Monitor
FortiGuard Services
Updates from Multiple FortiManager Units
FortiGuard Server List
Using TCP Port 80 to Receive Updates from a FortiManager Unit
Netflow v9.0
Configuring the Global Settings for Netflow Collector and Timers
Using Netflow with VDOMs
Adding Netflow Sampling to an Interface
Viewing the Configuration
DHCP Server Configuration
Improvements to Aggregate/Redundant Interfaces
Minimum Number of Links in an Aggregation
Avoiding Traffic Disturbances
Link Layer Description Protocol
CPU and Memory Usage per VDOM
Custom Languages for Guest Management and SSL VPN Portals
Packet Capture Options for Admin Profiles
FortiCloud Modem List
SPAN Support for Hard-Switch Interfaces
Setting the Service and AC-name in PPOE PADI/PADO Negotiations
Disabling FortiExplorer, the USB MGMT Port, and the Serial Console
Port Kernel Profiling
Using a Second Destination IP (VRDST)
Session Rate Stats per VDOM
Disable Honoring the Don't-Fragment Flag
Disable Login Time Recording
Per-IP-Bandwidth-Usage Feature Removed
Modem Support
39
39
40
40
40
40
41
41
43
44
44
45
46
46
46
46
47
47
48
48
48
49
49
49
50
50
51
52
52
53
54
54
54
55
55
56
56
57
57
57
57
57
Usability Enhancements
FortiView Dashboards
Sources
Applications
Cloud Applications
Destinations
Websites
Threats
All Sessions
Drilldown Options
Sniffer Traffic Support
FortiExplorer Setup Wizard Improvements
Removed Features
FortiWiFi
Internet Access
Remote VPN
AntiVirus Inspection Mode
Interfaces List Improvements
Dragging Objects Between Policies in the Policy List
Cloning Table Objects
DHCP-related Improvements in the Web-based Manager
System Resources Widget
License Information Widget
USB Modem Widget
New Feature Settings Preset
Improved Banned User List Page
Replacement Message Improvements
Sorting and Filtering Support for the Virtual IP list
Web-based Manager Options for the FortiGate-30D
Firewall
Menu Simplification
Policies
Objects
Unified Policy Management
Importing LDAP Users for a Security Policy
Dynamic VIP According to DNS Translation
GTP Rate Limiting
Per-Stream Rate Limiting
Per-APN Rate Limiting Profiles
Object UUID Support
Configuring the Class of Service Bit
Hairpinning for NAT64 and NAT46
58
58
59
59
60
60
61
62
62
62
63
63
63
64
64
64
64
64
65
65
65
65
66
67
67
67
67
67
68
69
69
69
69
70
71
72
72
72
73
73
74
74
Security Profiles
Menu and Options Simplification
AntiVirus
Web Filter
Intrusion Protection
Application Control
Advanced Options
SSL Inspection
Automatic Inspection When Security Profiles are Used
HTTPS Scanning Without Deep Inspection
SSL/Deep Inspection Exemptions
Generating Unique CA and Server Certificates
Server Certificates
Web Filtering
HTTPS for Warnings and Authentication
Modifying HTTP Request Headers
Restrict Google Access to Corporate Accounts
Referer Added to URL Filtering
FortiGuard Rating Checks for Images, JavaScript, CSS, and CRL
Additional Replacement Message Variables
New Daemon for Overrides and Warnings
Application Control
Deep Inspection for Cloud Applications
Traffic Shaping Settings
5-Point-Risk Rating
Replacement Message
Support for SPDY Protocol
Support for Non-HTTP WAN Optimization and Explicit Proxy Traffic
Flow-based Antivirus
Intrusion Protection System (IPS)
Adjusting Rate Based Signatures
Extensible Meta Data
Extended Database
Support for Non-HTTP WAN Optimization and Explicit Proxy Traffic
Vulnerability Scanning Visibility
Removed IM Proxy Options from the CLI
Client Reputation
IPsec VPN
VPN Creation Wizard
New Menu
Expanded VPN Options
74
75
75
75
77
80
80
81
81
81
81
82
82
83
83
83
83
84
85
86
86
86
87
87
87
88
88
88
88
89
89
89
89
90
90
90
90
91
92
92
92
92
Tunnel Templates
Internet Key Exchange (IKE)
Multiple Interfaces
Mode-Configuration
Certificates Groups
Authentication Methods
Inheriting Groups from the Security Policy
Assigning Client IP Addresses Using the DHCP Proxy
Transform Matching
Cookie Notification
Assign Client IP Addresses Using DHCP Proxy
IKEv1 Mesh Selectors
Message ID Sync for High Availability
Dynamic IPsec Route Control
add-route
Blocking IPsec SA Negotiation
Default Lifetimes and Proposal Values
Prioritizing DH Group Configuration
IPv6 Support for IPsec Phase 2
IPsec VPN Support with the FortiController-5103B
SSL VPN
SSL VPN Configuration
VPN Settings
VPN Portal
Creating the Firewall Policy
ECDSA Local Certificates
Host Security Check Error Replacement Message
Authentication
Captive Portal
External Captive Portals
Using Groups from the Security Policy
Exempting a Policy
Replacement Messages
User Authentication via a POP3 Server
Limiting Guest User Accounts
Nested Group Search in LDAP Authentication
Password Length for User Authentication
Certificates for Policy Authentication
Authentication Blackouts
Single Sign-On for Guest Accounts
Managing Devices
On-Net Status for FortiClient Devices
93
94
94
94
94
95
95
95
96
96
96
97
97
97
97
98
98
98
100
100
101
101
101
101
101
101
102
103
103
103
103
104
104
104
104
105
105
105
106
106
107
107
Endpoint Licenses
URL Filter Lists in Endpoint Control
FortiGuard Categories Consistency with FortiClient
Default Device Groups
Device Detection for Traffic Not Flowing Through the FortiGate
Wireless Networking
FortiAP Management
Manually Selecting AP Profiles
AP Scanning
Radio Settings Summary
CLI Console Access
Split Tunneling for Wireless Traffic
Captive Portal for WiFi
New Configuration Options
WPA Personal Security + Captive Portal
New Wireless Health Charts
RADIUS Accounting
802.11ac and DARRP Support
Date Channel DTLS in Kernel
IPv6
IPv6 Address Ranges
TCP MSS Values
RSSO Support
FortiManager Connections
Geographical Database
High Availability
107
108
108
108
109
110
110
110
110
111
111
111
112
112
112
112
113
113
113
115
115
115
115
116
116
117
117
117
117
117
118
118
118
119
Explicit Proxy Policy Table - for explicit web proxy, explicit FTP proxy and WAN optimization policies
Distributing Explicit Web Proxy Traffic to Multiple CPU Cores
Proxy Header Control
Explicit Web Proxy SOCKS services support for TCP and UDP traffic
Preventing the explicit web proxy from changing source addresses
Explicit web proxy firewall address URL patterns
URL patterns and HTTPS scanning
119
119
120
121
121
122
122
Advanced Routing
BGP Neighbor Groups
OSPF Fast Hello
BGP Conditional Advertising
Source and Destination IP-based Mode for ECMP
Policy Routes
RFC List
123
123
123
124
124
124
125
125
125
126
126
126
127
127
127
127
127
128
128
128
128
129
129
129
130
131
Change Log
Date
Change Description
November 5, 2014
September 5,
2014
July 2, 2014
Initial release.
Introduction
This document lists and describes many of the new features added to FortiOS 5.2.
New features in FortiOS 5.2.3 provides a brief description of features that were added to FortiOS 5.2.3.
New features in FortiOS 5.2.2 provides a brief description of features that were added to FortiOS 5.2.2.
New features in FortiOS 5.2.1 provides a brief description of features that were added to FortiOS 5.2.1.
Top Features described some of the most important new features in FortiOS 5.2.
Usability Enhancements describes some enhancements that make the web-based manager easier to use and
more effective.
The next sections deal with new features for specific areas of network configuration:
l
Firewall
Security Profiles
IPsec VPN
SSL VPN
Authentication
Managing Devices
Wireless Networking
IPv6
High Availability
Advanced Routing
Other New Features contains information about other features that have been added in FortiOS 5.2.
RFC List contains information about RFCs that are supported by the new features.
12
Allow admin user to start/defer file system check if FGT was not shutdown properly
Cloud Sandboxing
Deep Flow
CLI changes
Add set wan enable command.
Syntax
config system global
set wan [enable|disable] //disable by default
end
This CLI command enables one of the switch port (LAN4 for 20C-ADSL) as wan port. In this way, a redundant
WAN port is supported besides ADSL port.
By setting LAN4 into a switch port (set wan disable) or a dedicated WAN port (set wan enable), the two platforms
can work in two modes:
13
GUI changes
Replaced column filter icon on header with faceted search bar. Bottom panel now behaves better and resizes
smoothly.
GUI changes
A Last connection time column has been added which can simply indicate the timestamps of the last VPN
connection that was started for that user.
The user should be able to sort by last connection time.
14
GUI Changes
When creating FSSO group from Users/Groups creation wizard, in the LDAP browser, there is a new tab named
Organizational Unit next to Users and Groups tab. This new tab can also be seen in FSSO dialog.
l
l
The table, under System > Certificates fit in one regular browser width by default, similar to Policy, Interface
and other pages.
Wrap the text in the cells to keep the columns narrower.
Improve the columns displayed to include:
o Who signed it (where applicable).
o
Expiry date.
For more information, refer to the 5.2.3 feature/platform matrix at the following link:
http://docs.fortinet.com/d/fortigate-fortios-5.2.3-feature-platform-matrix
Syntax
config wireless-controller wtp-profile
edit "profile"
set led-state enable|disable
end
15
end
FortiAP side:
cfg -a LED_STATE=0|1|2
CLI changes
Add split-port operation to config sys global
Syntax
config sys global
set split-port port1 port2
end
GUI changes
Faceplate port groups will now update accordingly depending on the state of the split ports.
Allow admin user to start/defer file system check if FGT was not shutdown
properly
When FGT wasn't shutdown properly, we don't start the file system check yet as it may takes time. Instead, after
admin user logins, a dialog is shown offering admin user to start file system check or defer later. If file system
check is chosen, FGT will be rebooted and file system check is started.
16
Cloud Sandboxing
FortiStandbox Settings is accessible under System > Config > FortiSandbox, a new FortiSandbox Cloud
option is available. When selected, it uses FortiCloud Account configured previously in the License
Information widget.
Deep Flow
This new inspection mode uses IPS scan similar to Flow mode to catch anything obvious covered by signatures,
but passing a copy of anything over 64 bytes to the scanunit engine to collect the parts of the payload for proxy
style analysis, while the chunks of payload are sent to the recipient just as if it were in flow mode.
Once the last chunk of the payload is received by the scanunit engine, it is analyzed. If it successfully passes
analysis the last chunk is sent off to the recipient.
This method is characterized as being as secure and effective as proxy mode but faster then regular Flow mode.
When configuring Deep Flow, GUI and CLI shows this option as Flow but the functionality as described earlier.
17
Add broadcast/multicast suppression for local bridge mode ssid on the FAP side
Add hardware switch feature and SPAN functionality to 30D, 60, and 90D. Move POE ports out of Internal
switch to independent interfaces
Reimplementation of the session list as a part of FortiView to improve functionality and usability
Add GUI option to control the TLS versions for web administration
Add support for more than 32k FortiClient configuration distribution through EC-NAC
Add a warning when using deep SSL inspection mode on security policy and SSL profile pages
Improve FortiView performance and add System Events, Admin Logins, and VPN
CLI changes
Add diagnose sys scanunit stats command.
Syntax
diagnose sys scanunit stats <option>
Option
Description
list
all
clear
18
Syntax
diagnose sys scanunit filter <option>
Option
Description
list
clear
negate
vd
worker
Syntax
diagnose sys scanunit log filter <option>
Option
Description
list
clear
negate
vd
worker
Syntax
diagnose sys scanunit restart
19
Add broadcast/multicast suppression for local bridge mode ssid on the FAP
side
CLI changes
Add broadcast/multicast suppression for different packet type.
Syntax
conf wireless-controller vap
edit <vap_name>
set broadcast-suppression <option>
end
Option
Description
dhcp-up
dhcp-down
arp-known
arp-unknown
arp-reply
netbios-ns
netbios-ds
ipv6
Add hardware switch feature and SPAN functionality to 30D, 60, and 90D. Move
POE ports out of Internal switch to independent interfaces.
Added virtual switch commands.
Syntax
config system virtual-switch
edit lan
set physical-switch sw0
config port
edit port1
next
edit port2
next
end
20
next
end
Syntax
config system global
set sys-perf-log-interval <value>
end
Show progress of downloading the image and upgrading, shows progress bar.
GUI changes
On the status page if a new update is available on the FortiGuard server then the next recommended update is
displayed.
The admin can click the upgrade link and optionally backup the config before confirming the upgrade.
The dialog can display the progress of the update. Once the update is being installed the browser should probe
the FortiGate until it has completed the reboot, then automatically refresh the browser to go to the login screen.
Similarly when going to the upgrade page if the user chooses to upgrade from the FortiGuard Network then the
recommended firmware is set in the firmware version box (if any). If no firmware is recommended then "up to
date" can be displayed. Note that there may be several firmware options available but he chooser should be set to
the recommended version automatically, not just the latest version available. This information should be
obtained from the upgrade path package from FortiGuard.
Once the update is complete and reboot starts the browser should try to probe the FortiGate until to responds
then redirect to the login page once it is available again.
21
Syntax
config log gui-display
set fortiview-unscanned-apps enable/disable // inclusion of unscanned traffic in FortiView application
charts.
fortiview-local-traffic enable/disable // inclusion of local-in traffic in FortiView realtime charts.
end
Add GUI option to control the TLS versions for web administration
Introduce GUI settings to allow admin control the TLS v1.x versions for GUI HTTPS..
Syntax
config system global
set gui-https-tls-version <option>
end
Option
Description
tlsv1-0
TLS 1.0.
tlsv1-1
TLS 1.1.
tlsv1-2
TLS 1.2.
Syntax
config wireless-controller setting
set account-id <string>
end
22
CLI changes
Syntax
config
set
set
set
set
set
set
system lte-modem
status enable/disable
extra-init STRING
authtype none/pap/chap
APN STRING
mode standalone/redundant
net-type CDMA-1x/EV-DO/LTE/Auto //Only available for F*60DC, since the feature only works for
Novatel e362 module right now.
set holddown-timer sec
end
Syntax
diagnose sys lte-modem info
Sample output
LTE Modem configuration enabled!
LTE Modem device initialized.
Manufacturer: Novatel Wireless Incorporated
Model: E362 WWAN
MEID: 99000094761891
USB Modem Interface: up
SIM State: Valid
ICCID: 89148000000229083036
Signal Strength: 3
Network Type: LTE
Network Cfg: Automatic
APN: vzwinternet
Authen Type: none
Extra Init String:
Interface mode: standalone
Holddown Time: 30
GUI changes
GUI is almost the same, the difference is, when LTE Modem is plugged in but not connected, the same info
items(vendor/model/iccid/meid etc) are still displayed, this gives more information to users.
23
GUI changes
New platform FAP-224D/222C/25D/214B/21D/24D/112D/223C/321C can be selected in wtp profiles.
Add support for more than 32k FortiClient configuration distribution through
EC-NAC
A new child table has been added to store advanced configuration greater than 32k
Syntax
config endpoint-control profile
edit <profile_name>
config forticlient-winmac-settings
config extra-buffer-entries
edit entry_id
set buffer <string>
next
end
end
next
end
24
Add a warning when using deep SSL inspection mode on security policy and
SSL profile pages
A help text has been added when enabling SSL deep inspection.
GUI changes
Add an information bubble on the firewall policy page, as well as in the SSL profile page when enabling or
selecting deep inspection.
Add a video link via videos menu to both of the above pages to link to a new video that instructs users how to
install these certificates throughout the network.
GUI changes
In the firewall policy edit dialog, clicking on the Create Users/Groups button on the bottom of the Source User
(s) drop-down list will launch the Wizard.
This is an extended version of the Users/Groups Creation Wizard which has extra option to create FSSO
group. Clicking on FSSO will show the process of creating and/or updating FSSO group.
This new LDAP browser design has been applied to the Single Sign-On edit page.
Syntax
execute backup disk alllogs usb
25
Syntax
execute backup disk log usb <string> //Choose log: traffic, event, ips, virus, webfilter, spam, dlp, voip, appctrl, anomaly, netscan
Improve FortiView performance and add System Events, Admin Logins, and
VPN
GUI changes
Three new menu items has been added under FortiView
l
System Events
Admin Logins
VPN
CLI changes
Add a command to debug vmtools.
Syntax
diagnose debug application vmtools <integer>
26
Wizard improvement
Apply new LDAP Tree Browser design to the User Wizard and User Group page
Improves performance on FAZ. Simple query small logs makes FAZ build reports faster and have more idle time for
other reports.
Uses less disk space on FAZ for the same report type.
27
Syntax
config firewall policy
edit 1
set ssl-ssh profile <test>
next
end
Syntax
diagnose test application fnbamd 1
Sample output
diagnose test application fnbamd 1
Pending sessions:
0
Max session reached:
0
Auth:
requests:
5000
sessions:
5000
released:
5000
Acct:
requests:74
28
sessions:
released:
Cert:
requests:
sessions:
released:
0
0
0
0
0
<Integer> is the debug level. For example, 1 would be the maximum log level in kernel to be shown.
GUI changes
Under the System > Network > Modem page, click Configure Modem link under the External Modem
section to see the list for FortiGate and FortiExtender.
Under the System > Network > FortiExtender page, click Configure Settings and click Supported
Modems link under Modem Settings section to show the supported FortiExtender modem list. This will jump
back to the page under System > Network > Modem page, click Configure Modem link.
Syntax
The following new diagnose command was added to show the list of supported FortiExtender modems:
diagnose extender modem-list
29
Syntax
config system interface
edit wan1
set stpforward enable
set stpforward-mode rpl-nothing
next
end
Syntax
config wireless-controller vap
edit SSID
set probe-resp-suppression enable|disable
set probe-resp-threshold <value>
next
end
CLI changes
The following options are moved from global antivirus service to firewall profile-protocol-options:
uncompsizelimit, uncompnestlimit, scan-bzip2, and block-page-status-code moved.
The following options are removed: ftp, ftps, http, https, imap, imaps, nntp, pop3, pop3s, smtp, and
smtps.
The following help test was added:
30
Syntax
config wireless-controller wtp-profile
edit <wtp-profile-name>
config lbs
set ekahau-blink-mode Enable/disable
set ekahau-tag <xx:xx:xx:xx:xx:xx>
set erc-server-ip <any_ip>
set erc-server-port <integer>
end
end
Syntax
diagnose disktest <option>
31
Syntax
diagnose debug flow show iprope {enable|disable}
CLI changes
Add new endpoint and ha subcategories into config log eventfilter
Syntax
config log eventfilter
set endpoint Enable/disable
set ha Enable/disable
end
GUI changes
Add subtype log filter options named Endpoint and HA under Event Log
Syntax
diagnose debug admin error-log
32
Sample output
The recent admin user failed login details:
error code : -100
method
: ssh
login name
:
test
cmdb name :
null
login vdom
:
root
current vdom
: root
override vdom : null
login profile
:
null
override profile: null
login time
:
2014-08-29 11:01:57
Syntax
diag test application hasync [1-19,50-53]
Value
Description
10
11
12
33
Value
Description
13
14
15
16
17
18
19
50
51
52
53
GUI changes
l
l
A Group By Type toggle switch has been added in the interfaces page under System > Network > Interfaces.
A VLAN Switch Mode toggle switch has been added in the interfaces page under System > Network >
Interfaces. This VLAN Switch Mode toggle switch shows a confirmation dialog when clicked before toggling the
system setting.
A mini faceplate for Hardware Switch Mode and VLAN Switch Mode has been added in the member column
under System > Network > Interfaces.
Wizard improvement
The Wizard has been improved to provide instruction page to explain how to set up FortiClient for IPsec and
SSLVPN and permit to set up FortiCloud connection on Wizard so that logs will be sent to FortiCloud.
34
GUI changes
l
Add instruction module to generate page explaining how to set up FortiClient for IPsec and SSLVPN depending on
the VPN that is configured.
Syntax
config firewall vip
edit "VIP"
set extip xxx.xxx.xxx.xxx
set extintf "wan1"
set portforward enable
set mappedip xxx.xxx.xxx.xxx
set protocol icmp
next
end
The command set protocol has icmp option now to make the firewall forward ICMP to the host specified by
mappedip while the mappedport and extport attributes are skipped.
Syntax
diagnose log clear-kernel-stats
Apply new LDAP Tree Browser design to the User Wizard and User Group page
Previously, the LDAP browser shows LDAP containers and LDAP entries within the same tree. When there are
many LDAP entries available, it becomes harder for users to select, filter, search different types of LDAP objects.
This new feature now divides the LDAP Browser into two major parts:
35
Syntax
exec fortiguard-log join
exec fortiguard-log try <FortiCloud_id> <Password>
36
Top Features
This chapter introduces the following top features of FortiOS 5.2:
l
FortiView Dashboards
SSL Inspection
Web Filtering
Application Control
Captive Portal
FortiAP Management
Flow-based Antivirus
FortiExtender Support
FortiView Dashboards
The FortiView dashboards integrate real time and historical dashboards into a single view that displays the top
100 sessions on a FortiGate unit. The different dashboards show information on the following:
l
Sources
Applications
Cloud applications
Destinations
Web sites
Threats
All sessions
37
Top Features
SSL Inspection
Several changes have been made to how SSL inspection is handled by a FortiGate unit, with the addition of a
new mode that allowed HTTPS traffic to be scanned without enabling deep inspection, as well as changes to the
handling of certificates and configuring exemptions for SSL inspection.
For more information, see SSL Inspection on page 81.
Web Filtering
Several new options have been added for web filtering:
l
Using FortiGuard rating checks for images, JavaScript, CSS, and CRL
Application Control
Several new options have been added for application control:
l
5-Point-Risk Ratings
Replacement messages
38
Top Features
Captive Portal
Several new options have been added for captive portals:
l
Exempting a policy
Replacement messages
For more information, see Captive Portal on page 103 and Captive Portal for WiFi on page 112.
FortiAP Management
Several new options have been added for managing FortiAP units:
l
AP scanning
Flow-based Antivirus
In FortiOS 5.2, flow-based AntiVirus has been improved to have the same enhanced performance as flow-based
antivirus scanning in FortiOS 5.0 while providing the same accuracy and many of the extended features of proxybased antivirus.
For more information, see Flow-based Antivirus on page 89.
FortiExtender Support
FortiOS 5.2 supports FortiExtender, that allows you to remotely connect 4G/LTE USB modems to a FortiGate
unit. The FortiGate unit can remained installed in a secure location while the FortiExtender is installed on a roof
or near a window providing enhanced 4G/LTE modem reception.
For more information, see FortiExtender Support on page 41.
39
Top Features
Multiple interfaces
Mode-configuration
Certificates groups
Authentication methods
Transform matching
Cookie notification
For more information, see Internet Key Exchange (IKE) on page 94.
40
System Features
New system features include:
l
FortiExtender Support
FortiGuard Services
Netflow v9.0
Disabling FortiExplorer, the USB MGMT Port, and the Serial Console
Modem Support
FortiExtender Support
FortiOS 5.2 supports the new FortiExtender unit, which provides internet connectivity via 4G/LTE network to a
FortiGate unit.
To connect a FortiGate and FortiExtender, a new tap interface is created on the FortiGate unit, which receives
the IP address from the cellular service provider via the FortiExtender, using a CAPWAP data channel. All the
packets sent to the tap interface are received by the extender module on the FortiGate and are then sent to the
FortiExtender, which then sends the packets out on the 4G/LTE network.
When data packets are received from the cellular network, the FortiExtender passes the packets to the FortiGate
via the CAPWAP data channel. These packets are written to the tap interface and the FortiGate IP stack will
process them.
The options to configure a FortiExtender unit can be found by going to System > Network > FortiExtender.
41
System Features
4. Enable the control and provisioning of Wireless Access Point (CAPWAP) service on the port to which the
FortiExtender unit is connected (lan interface in this example) using the following CLI commands:
config system interface
edit lan
set allowaccess capwap
end
end
Once enabled, it appears as a virtual WAN interface in the FortiGate, such as fext-wan1.
l
l
Link Status: Shows you if the link is Up or Down, click on Details to see the System and Modem Status.
IP Address: Shows you the current FortiExtenders IP address, click on the link of the IP address to connect to
the FortiExtender GUI.
OS Version: Shows the current FortiExtenders build, click on Upgrade if you wish to upgrade the Firmware.
Configure Settings: Allows you to configure the Modem Settings (for more information, see below), PPP
Authentication, General, GSM / LTE, and CDMA .
Diagnostics: Allows you to diagnose the FortiExtender unit, you can choose a command form the existing
commands and click on Run. Existing commands are: Show device info, Show data session
connection status, test connection, test disconnection, Get signal strength,
AT Command.
The FortiExtender unit allows for two modes of operation for the modem; On Demand and Always Connect. In
On Demand mode, the modem connects to a dialup ISP account to provide the connection to the Internet when
needed. In Always Connect mode, the modem is always connected to the internet, it can acts as a primary or
backup method of connecting to the Internet. To configure the dial mode as needed, do the following:
42
System Features
If your network will be using IPv6 addresses, go to Router > Static > Static Routes
or System > Network > Routing and select IPv6 Route.
2. Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, Device to fext-wan1, and set the Gateway to your gateway IP
or to the next hop router, depending on your network requirements.
3. Select OK.
4. Go to Policy & Objects > Policy > IPv4 and select Create New.
If your network will be using IPv6 addresses, go to Policy & Objects > Policy >
IPv6 and select Create New.
5. Set the Incoming Interface to the internal interface and the Outgoing Interface to fext-wan1 interface. You
will also need to set Source Address, Destination Address, Schedule, and Service according to your
network requirements.
6. Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Destination Interface Address is
selected.
7. Select OK.
43
System Features
routing configuration required to support redundant internet connections. In addition, the virtual WAN link
configuration also includes new link health checking and settings to control traffic flow based on link health.
The FortiGate unit sees the virtual WAN link as a single interface so the FortiGates security policy configuration
no longer has be redundant to support dual Internet links. Now one policy configuration to control traffic to the
virtual WAN link is all that is required. You can also add or remove redundant Internet links just by adding or
removing physical interfaces from the virtual WAN link. No addition changes to the routing, load balancing or
firewall policy configuration are required.
Once you have added interfaces to the virtual WAN interface you should go to Router > Static > Static Route
and add a default route for the virtual WAN link. Then add firewall policies that allow access to the Internet by
setting the outgoing interface to virtual-wan-link.
For more information about using a virtual WAN link, please see the FortiGate Cookbook recipe Redundant
Internet connections (5.2.0) .
44
System Features
Next, add Services that control how traffic patterns are affected by link quality. Services work like policy routes.
Configure a service by defining a traffic type (for example, SIP) and specifying whether this traffic always goes to
the highest quality interface, the lowest quality interface or a specific interface no matter the quality.
45
System Features
FortiGuard Services
Several changes have been made to how FortiGuard services can be received by your FortiGate unit.
46
System Features
Syntax
Use the following command to configure your FortiGate unit with the addresses of three FortiManagers that the
FortiGate will use to get FortiGuard signature updates:
config
set
set
set
set
end
system central-management
fortimanager-fds-sigupdate-override enable
sig-update-server-1 10.10.10.10
sig-update-server-2 20.20.20.20
sig-update-server-3 30.30.30.30
When the FortiGate unit checks for signature updates it attempts to connect to update server 1. If the connection
fails it tries update server 2 then 3. It connects to the first one that's available to get updates.
Use the following command to configure your FortiGate unit with the addresses of three FortiManagers that the
FortiGate will use for FortiGuard Web Filtering URL lookups:
config
set
set
set
set
end
system central-management
fortimanager-fds-urllookup-override enable
url-lookup-server-1 11.11.11.11
url-lookup-server-2 12.12.12.12
url-lookup-server-3 13.13.13.13
When the FortiGate unit needs to do a web filtering lookup it attempts to connect to lookup server 1. If the
connection fails it tries lookup server 2 then 3. It connects to the first one that's available to do the lookup.
Syntax
config server-list
edit <ID>
set server-type {rating | update}
set server-address <address>
end
set include-default-servers {enable | disable}
end
47
System Features
To configure communications to use port 80, go to System > Config > FortiGuard and expand Web Filtering
and Email Filtering Options. Select Use Alternate Port (80). This can also be configured using the CLI.
Syntax
config system fortiguard
set port 80
end
FortiGuard TCP stats can also be displayed using the diagnose test application urlfilter 20
command.
Netflow v9.0
FortiOS 5.2 supports Netflow v9.0. NetFlow services provide network administrators with access to IP flow
information from their data networks. Network elements (routers and switches) gather flow data and export it to
collectors. The collected data provides fine-grained metering for highly flexible and detailed resource usage
accounting.
A flow is defined as a unidirectional sequence of packets with some common properties that pass through a
network device. These collected flows are exported to an external device, the NetFlow collector. Network flow
records include details such as IP addresses, packet and byte counts, timestamps, application ports, and input
and output interfaces.
system netflow
collector-ip <address>
collector-port <port>
source-ip <address>
active-flow-timeout <integer>
inactive-flow-timeout <integer>
The value for active-flow-timeout is used as the minimum length of a live session, as well as for the
intervals to send the report. The default is 1 minute, meaning that if a session lives for a minute, it will be
reported in a Netflow packet.
The value for inactive-flow-timeout is used as the interval to send a Netflow report of inactive (finished)
flows. Since FortiOS uses 1350 Byte payloads, the number of reports in a packet are limited and multiple packets
may be sent regardless of this timer.
48
System Features
Time zone
TFTP server
TFTP filename
49
System Features
Syntax
config system dhcp server
edit <integer>
set timezone-option {disable | default | specify}
set timezone <timezone_code>
set tftp-server <string>
set filename <file_name>
end
end
50
System Features
Syntax
config system interface
edit <name>
set type aggregate
set vdom root
set member <ports>
set min-links <integer>
set min-links-down administrative
end
end
Syntax
config system interface
edit <name>
set type {aggregate | redundant}
set link-up-delay <time>
end
end
Syntax
config system interface
edit <name>
set type redundant
set priority-override {enable | disable}
end
end
51
System Features
Chassis ID
Port ID
TTL
System Name
System Description
System Capabilities
Aggregation
Host Name
LLDP transmission is enabled by default on all ports that support a MAC address. It can be disabled globally, or
disabled on some interfaces or VDOMs, while being enabled on others.
Syntax
To disable LLDP globally or on a specific VDOM, use the following command:
config system global
set lldp-transmission disable
end
To enable LLDP at the individual interface level, first disable LLDP globally, then use the following command:
config system interface
edit <name>
set lldp-transmission enable
end
end
52
System Features
A summary line has been added to at the bottom of the VDOM list to show global CPU, memory, sessions, and
sessions per second usage.
The CLI command diagnose system vd stats has been added to display VDOM statistics.
VDOM list
Syntax
1. Enabling the feature:
config system global
set gui-custom-language enable
end
4. Setting the custom language for an admin account with guest-auth enabled:
config system admin
edit <name>
set guest-auth enable
set guest-lang <lang_name>
end
end
5. Setting the custom language for an SSL-VPN portal with web-mode enabled:
config vpn ssl interface
edit <name>
53
System Features
Syntax
config system accprofile
edit <name>
set fwgrp custom
config fwgrp-permission
set packet-capture {read-only | read-write | none}
end
end
end
54
System Features
To enable SPAN on a hardware switch, go to System > Network > Interfaces and edit a hardware switch
interface. By default the system may have a hardware switch interface called lan. You can also create a new
hardware switch interface.
Select the SPAN checkbox. Select a source port from which traffic will be mirrored. Select the destination port to
which the mirrored traffic is sent. Select to mirror traffic received, traffic sent, or both.
Configuring SPAN
Syntax
config system virtual-switch
edit <port>
set span enable
set span-source-port <port>
set span-dest-port <port>
set span-direction {both | Tx | Rx}
end
end
Syntax
edit port1
set mode pppoe
set service-name <name>
set ac-name <name>
end
Disabling FortiExplorer, the USB MGMT Port, and the Serial Console
New CLI commands have been added allowing you to disable access for FortiExplorer on Windows and OS X and
the USB MGMT port, or for the serial console, FortiExplorer iOS, the USB MGMT port, and 3G/4G MODEM
access.
55
System Features
Syntax
1. Disable FortiExplorer on Windows and OS X and the USB MGMT port:
config system console
set fortiexplorer disable
end
module - show kernel module (This is only available when the kernel is module mode).
Syntax
config system interface
edit <interface>
config vrrp
edit <id>
set vrdst <ip1> <ip2>
end
end
56
System Features
end
Syntax
config system global
set honor-df disable
end
Syntax
config system global
set login-timestamp disable
end
Modem Support
The Novatel MC679 and Sierra 313U modems are supported in FortiOS 5.2 for use with a FortiGate unit.
An MIB entry, fgUsbModemSignalStrength, has also been added to display modem signal strength.
57
Usability Enhancements
Many usability enhancements have been made to the web-based manager in FortiOS 5.2, in order to make the
configuration process more efficient. New usability enhancements include:
l
FortiView Dashboards
FortiView Dashboards
In order for information to appear in the FortiView dashboards, disk logging must be
selected for the FortiGate unit. To select disk logging, go to Log & Report > Log
Config > Log Settings.
Disk logging is disabled by default for some FortiGate units. To enable disk logging,
enter the following command in the CLI:
config log disk setting
set status enable
end
Please note that flash-based logging has been disabled in FortiOS 5.2 for certain models. To view a complete list of affected models, please refer to the Release Notes.
The FortiView dashboards integrate real time and historical dashboards into a single view. These dashboards
can be found by going to Status > FortiView. Each dashboard will initially display the top 100 sessions but when
the results are filtered, other sessions may be displayed.
Each dashboards can be filtered by a variety of attributes. Attributes can be selected by using the dropdown menu
located at the top of each widgets that displays only the options that have results; for example, if the only
applications used in the are Dropbox, SSL, and Skype, the only options in the dropdown menu for the Application
filter will be Dropbox, SSL, and Skype.
58
Usability Enhancements
Results can also be filtered using the various columns, although not all columns support this.
The dashboards also include different time options, allowing you to see current traffic in real-time, or historical
traffic that occurred in the last 5 minutes, 1 hour, or 24 hours.
Historical traffic is only supported on FortiGate models that have local storage. The 24
hours option is also unavailable for desktop models (FortiGate-90 series and below).
Sources
The Sources dashboard shows information about the sources of traffic on your FortiGate unit, including user and
device. Additional columns show information about sessions and bytes sent or received.
This dashboard can be filtered by source IP, source device, source interface, destination interface, and policy ID.
Applications
The Applications dashboard shows information about the applications being used on your network, including
application name, category, and risk level. Additional columns show information about sessions and bytes sent or
received.
This dashboard can be filtered by application, source interface, destination interface, and policy ID.
59
Usability Enhancements
Cloud Applications
The Cloud Applications dashboard shows information about the cloud applications being used on your
network, including application name, category, risk level, login IDs, and, if applicable, the number of videos
played. If the cursor is held over the column showing the number of videos, the titles of these videos will be
shown. Additional columns show information about sessions and bytes sent or received.
Two different views are available for the Cloud Applications dashboard: applications and users. Applications
shows a list of the programs being used. Users shows information on the individual users of the cloud
applications, including the username if the FortiGate was able to view the login event.
This dashboard can be filtered by application, source interface, destination interface, and policy ID.
In order for information to appear in the Cloud Applications dashboard, an application control profile that has Deep Inspection of Cloud Applications turned on
must be enabled in a policy and SSL Inspection must use deep-inspection (for
more information, see "SSL Inspection").
Destinations
The Destinations dashboard shows information about the destination IPs of traffic on your FortiGate unit, as
well as the application used. Additional columns show information about sessions and bytes sent or received.
This dashboard can be filtered by destination IP, user, source interface, destination interface, and policy ID.
60
Usability Enhancements
Websites
The Websites dashboard lists the top allowed and top blocked web sites. You can view information by domain or
by FortiGuard categories by using the options in the top right corner. Each FortiGuard category can be clicked on
in order to see a description of the category and several example sites, with content loaded from FortiGuard on
demand. New icons have also been added for FortiGuard category groups. Additional information is provided
about domain, browsing time, threat weight, sources, and bytes sent or received.
This dashboard can be filtered by source interface, domain, destination interface, and policy ID.
In order for information to appear in the Websites dashboard, web filtering must be
enabled in a policy, with FortiGuard Categories enabled.
61
Usability Enhancements
Threats
The Threats dashboard lists the top users involved in incidents, as well as information on the top threats to your
network. Additional information is provided about the threat, category, threat level, threat weight, and number of
incidents.
This dashboard can be filtered by source interface, threat type, threat, destination interface, and policy ID.
In order for information to appear in the Threats dashboard, Threat Weight Tracking must be used.
All Sessions
The All Sessions dashboard shows information about all FortiGate traffic. To choose which columns you wish
to view, select Column Settings and place your desired columns in the right-hand box, in the order that you wish
them to appear.
This dashboard can be filtered by source IP, destination IP, application, source device, source interface,
destination interface, and policy ID. If you have set a filter in a different dashboard before viewing the All
Sessions dashboard, that filter will remain until manually cleared.
Drilldown Options
In all FortiView dashboards except for the All Sessions dashboard, you can view more information about a
particular session by right-clicking or double-clicking on the session to display the Drilldown to details... option,
which opens a summary page that includes further information about applications, sources, destinations, and
sessions where applicable.
From this summary page, you can access automatically filtered logs that will show a list of applicable sessions.
For example, if you have picked the IP address 192.168.120.110 from the Sources dashboard, you can then
select Drilldown to details... for Skype from the Applications column. This will open a log that displays all
sessions from 192.168.1.1 that used Skype. From this page, you can select Drilldown to details... for any
individual session, in order to view the log entry for that session.
62
Usability Enhancements
In the All Sessions dashboard, filters are also used to narrow down what results are shown. If you are viewing
historical traffic in the All Sessions dashboard, you can also add an element to a filter by right-clicking the
element and selecting Set Filter.
Removed Features
Several features have been removed from the FortiGate Setup Wizard:
l
Virtual Servers
The WAN Topology options have also been simplified so that the only option is Single Ethernet.
63
Usability Enhancements
FortiWiFi
Several additional changes have occurred for FortiWiFi units, found in the LAN + WiFi Settings section of the
wizard:
l
The default SSID is now named fortinetXXXX, where XXXX is the last 4 digits of the FWF serial number.
Internet Access
The following changes have been made to the Internet Access section of the wizard:
l
Selecting Block Viruses and Malicious Content enables anti-virus and web filtering
Remote VPN
In the Remote VPN section, an option has been added to setup dynamic DNS with FortiGuard. The option is
enabled by default.
64
Usability Enhancements
A DHCP Server column has been added to the interface list that shows which interfaces have been enabled as a
DHCP server and the assigned IP range.
The DHCP Client List has been improved by adding device icons and changing the Expires column to show the
amount of time left on the DHCP lease.
New addressing modes have been added to support IPv6 and PPPOE. The option for IPv6 will only appear if it has
been enabled in the web-based manager, while PPPOE options only appear if IPv4 addressing is set to PPPOE as
well.
Options have been added to DHCP Monitor, allowing DCCP leases to be revoked and IP reservations to be added
or edited.
Advanced DHCP configuration can now be done through the web-based manager. To enable this feature, the
following syntax must be used in the CLI:
config system global
set gui-dhcp-advanced enable
end
After this has been enabled, an Advanced menu can be expanded when configuring DCHP on a network
interface.
65
Usability Enhancements
66
Usability Enhancements
An graphics list that allows you to select from predefined images or upload a new image
67
Usability Enhancements
Syntax
config system global
set gui-lite disable
end
68
Firewall
New firewall features include:
l
Menu Simplification
Menu Simplification
Security policies and firewall objects are now found in the same menu, called Policy & Objects.
Policies
The menu option for policies, found at Policy & Objects > Policy, has been expanded to include the following
policy types:
l
IPv4
IPv6
NAT64
NAT46
DoS
IPv6 DoS
Multicast
Local In
Proxy Options
Objects
The following firewall objects have been grouped together under a single menu, found at Policy & Objects >
Objects:
l
Addresses
Services
Schedules
69
Firewall
Traffic Shapers
Virtual IPs
IP Pools
Groups
Object groups can now be made by expanding the arrow beside Create New and selecting Group.
Traffic Shapers
Shared and Per-IP shapers have been combined into a single page, with a Type field added to the creation page.
An additional column, Type, has also been added to the traffic shapers table.
70
Firewall
If both Source User(s) and Source Device Type are set, then traffic must match both fields in order to be
accepted by the policy. Both these fields are optional; only Source Address must be set.
For policies that require user or device authentication, there is an implicit fall-through to allow traffic to be
checked against other policies if it does not match the authentication requirements. This option cannot be
disabled and the CLI command set fall-through-unauthenticated has been removed.
For more information about security policies in FortiOS 5.2, please see the FortiGate Cookbook recipe Creating
security policies.
To create a policy for SSL VPNs, an SSL VPN interface is created and used as the source interface. For more
information about this interface creation, see SSL VPN Configuration on page 101.
71
Firewall
Syntax
config firewall vip
edit 1
set type dns-translation
set extip 192.168.0.1-192.168.0.100
set extintf dmz
set dns-mapping-ttl 604800
set mappedip 3.3.3.0/24 4.0.0.0/24
end
end
In addition, FortiOS Carrier now indicates the GTP version in rate limiting log messages and writes a rate limiting
warning log message when a packet exceeds the rate limiting threshold.
Syntax
config firewall gtp
edit <name>
set rate-limit-mode {per-profile | per-stream}
72
Firewall
Syntax
config firewall gtp profile
set rate-limit-mode per-apn
config per-apn-shaper
edit <ID>
set apn <string>
set version <version>
set rate-limit <rate-limit>
end
end
A Universally Unique Identified (UUID) attribute has been added to some firewall objects, including virtual IPs and
virtual IP groups for IPv4, IPv6, NAT46, and NAT64, so that the logs can record these UUID to be used by a
FortiManager or FortiAnalyzer unit.
The UUID of an object can either be generated automatically or assigned through the CLI. To view the UUID for
these objects in a FortiGate unit's logs, log-uuid must be set to extended mode, rather than policyonly, which only shows the policy UUID in a traffic log.
Syntax
config sys global
set log-uuid {disable | policy-only | extended}
end
config firewall {policy | policy6 | policy46 | policy64 | address| addres6 | addgrp |
addgrp6}
edit <1>
set uuid <8289ef80-f879-51e2-20dd-fa62c5c51f44>
end
end
73
Firewall
Syntax
config firewall {policy | policy6}
set vlan-cos-fwd <int>
set vlan-cos-rev <int>
end
74
Security Profiles
New security profiles features include:
l
SSL Inspection
Web Filtering
Application Control
Flow-based Antivirus
Client Reputation
AntiVirus
Several changes have been made for the configuration options in AntiVirus profiles, as visible options change
depending on whether Inspection Mode is set to Flow-based or Proxy.
75
Security Profiles
Proxy Options
If proxy inspection is used for AntiVirus, the addition Block or Monitor options are available for both detected
viruses and Botnet C&C servers. The previous options for using FortiSandbox and protocol selection are also
available.
76
Security Profiles
Web Filter
The web filter profile page has been expanded to contain settings for FortiGuard Categories, Search
Engines, URL Filters, Ratings Options, and Proxy Options.
77
Security Profiles
78
Security Profiles
79
Security Profiles
Intrusion Protection
The IPS sensor page now contains options for Pattern Based Signatures and Filters and Rate Based
Signatures. The full list of IPS Signatures can be accessed from the sensor page by selecting View IPS
Signatures.
Application Control
The following changes have been made to improve usability in the web-based manager:
l
l
l
l
A new category list has been made that appears on the sensor page, found by going to Security Profiles >
Application Control. When you click on a category, a drop down menu appears, allowing the action for that
category to be changed. You can also select to view all the application control signatures for that category.
Application signatures can be viewed by selecting View Application Signatures.
Application Overrides allow you to change the action taken for specific signatures/applications.
The application filter sorting criteria popularity, technology, and risk have been removed.
80
Security Profiles
Advanced Options
A new advanced menu has been added that contains the following features:
l
DLP fingerprinting
Web Rating Overrides can also now be used to edit or delete custom website categories.
SSL Inspection
There have been several changes to how SSL Inspection is handled on a FortiGate unit.
81
Security Profiles
There are now two modes for SSL inspection: certificate inspection (certificate-inspection in the CLI),
which only inspects the SSL handshake, and deep inspection (deep-inspection in the CLI), which
enables full deep inspection of SSL traffic (this was previously the default mode for SSL inspection).
The SSL inspect-all option and the https status option now have three states: disable,
certificate-inspection, and deep-inspection. The status option for the other protocols now use
deep-inspection instead of enabled.
When a new policy or profile group is created, the SSL inspection profile certificate-inspection is
automatically added.
Syntax
config firewall ssl-ssh-profile
edit <name>
config ssl-exempt
edit <id>
set type {fortiguard-category | address | address6}
set category <id>
set address <string>
end
end
The following command re-generates the default SSL inspection server certificate:
execute vpn certificate local generate default-ssl-serv-key
82
Security Profiles
Server Certificates
In FortiOS 5.2, two methods are available to support server certificates and allow inbound traffic to be inspected:
Multiple Clients Connecting to Multiple Servers (re-sign in the CLI) or Protecting SSL Server
(replace in the CLI).
The default setting for SSL Inspection is Multiple Clients Connecting to Multiple Servers.This setting can
be changed by going to Policy & Objects > Policy > SSL Inspection or through the CLI.
Syntax
l
Web Filtering
There have been several changes made to web filtering in FortiOS 5.2.
Syntax
config webfilter fortiguard
set ovrd-auth-https enable
set warn-auth-https enable
end
83
Security Profiles
Syntax
config web-proxy profile
edit <name>
config headers
edit <ID>
set name <name>
set content <string>
end
end
Syntax
1. The web-proxy profile is configured to with a modified header:
config web-proxy profile
edit "restrict-google-accounts-1"
config headers
edit 1
set name "X-GoogApps-Allowed-Domains"
set content "example.com"
end
end
84
Security Profiles
5. Explicit proxy - the web-proxy policy and the web filer profile are applied to an explicit proxy policy:
config firewall explicit-proxy-policy
edit 1
set proxy web
set dstintf "WAN"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set webproxy-profile "restrict-google-accounts-1"
set utm-status enable
set webfilter-profile "GMAIL_TEST"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
end
end
85
Security Profiles
After this command is used, a new column will be created in Security Profiles > Web Filter > Static URL
Filter to set the referer.
The command set referrer-host has been added to the CLI. The CLI has also changed so that URL
filters are now identified by their IDs, and the URL values can be set under each entry.
Syntax
config webfilter urlfilter
edit <ID>
config entries
edit 1
set url <url>
set referrer-host <url>
set type {simple | regex | wildcard}
set action {block | allow | monitor | exempt}
set status {enable | disable}
end
end
Syntax
config webfilter profile
edit <name>
config ftgd-wf
set rate-javascript-urls enable
set rate-css-urls enable
set rate-crl-urls enable
set rate-image-urls enable
end
end
86
Security Profiles
Application Control
There have been several changes made to application control.
Syntax
config application list
edit <name>
set deep-app-inspection enable
end
end
Using the CLI, you can specify a global timeout for the deep application control database. Any database entries
that exceed the timeout will be deleted. A global size threshold on the number of entries in the deep application
control database can also be set.
When the total number of entries exceeds this threshold, the internal timeout value will be reduced to accelerate
entry retiring. Both values are set to 0 (unlimited) by default.
Syntax
config ips global
set deep-app-insp-timeout <integer>
set deep-app-insp-db-limit <integer>
end
A new option, --deep_ctrl, has also been added to the syntax for IPS/application control signatures.
Several new CLI commands have also been added for diagnose and debugging:
l
87
Security Profiles
To apply settings, select a category and set it to Traffic Shaping. The Traffic Shaping Settings options will
appear, allowing you to select the settings for forward and reverse traffic shaping. These settings will be applied
to all categories set to Traffic Shaping in your application control sensor.
5-Point-Risk Rating
A new rating system will be used for all pages related to application control, including the application list, the
application filters list, traffic logs, the FortiView Applications dashboard, and the FortiView All Sessions
dashboard. Risk levels are indicated in the various tables and logs by using a series of icons.
The rating system is as follows:
Icon
Risk
Level
Description
Example
Tor, SpyBoss
High
Medium
Elevated
Critical
Low
Replacement Message
A replacement message has been added that will appear when an application has been blocked.
This replacement message can be enabled in the CLI.
Syntax
config application list
edit <name>
set app-replacemsg {enable | disable}
end
end
88
Security Profiles
Flow-based Antivirus
In FortiOS 5.2, flow-based AntiVirus has been improved to have the same enhanced performance as flow-based
antivirus scanning in FortiOS 5.0 while providing the same accuracy and many of the extended features of proxybased antivirus.
Flow-based AntiVirus now allows data to accumulate until it detect the end of a file. When the end is reached,
traffic is paused and data is sent asynchronously for analysis. When the results are received, the traffic is either
allowed to resume or the connection is reset.
Because of this change, the default AntiVirus profile on a FortiGate uses flow-based inspection. Flow-based
inspection can also utilize the extended AntiVirus database. Detecting and reporting only occurs when AntiVirus is
enabled in the security policy.
Flow-based AntiVirus is also supported for sniffer policies.
Example
In this example, a set of meta data is declared and then used to create IPS signatures.
The meta data is declared:
F-META2(--name points; --index 12; --type integer; )
89
Security Profiles
F-META2(--name flags; --index 34; --type bitmap; --value foo:1; --value bar:2; --value
baz:4; )
F-META2(--name dr_seuss; --index 56; --type enum; --value "One Fish":1; --value "Two
Fish":2; --value "Red Fish":3; --value "Blue Fish":4; )
F-META2(--name secret; --index 78; --type string; )
Extended Database
In FortiOS 5.2, the IPS extended database is enabled by default for all FortiGate models that have multiple CP8.
Vulnerability scanning is also hidden by default for FortiClient profiles until being enabled in the CLI. To enable
scanning, enter the following commands:
config endpoint-control profile
edit <profile-name>
config forticlient-winmac-settings
set forticlient-vuln-scan {enable | disable}
set forticlient-vuln-scan-schedule {daily | weekly | monthly}
set forticlient-vuln-scan-on-registration {enable | disable}
set forticlient-ui-options {av | wf | af | vpn | vs}
end
end
90
Security Profiles
config imp2p
get imp2p
The DLP sensor options for AIM, ICQ, MSN, and Yahoo protocols.
Client Reputation
The 5.0 feature client reputation has been renamed Threat Weight in FortiOS 5.2 and has been moved from
Security Profiles to Log & Report > Log Config > Threat Weight. It can now be configured in the CLI using
the command config log threat-weight.
91
IPsec VPN
New IPsec VPN features include:
l
New Menu
The Wizard can now be found by going to VPN > IPsec > Wizard.
92
IPsec VPN
For more information about using the VPN Wizard, see The FortiGate Cookbook recipe IPsec VPN for iOS
devices.
Tunnel Templates
Several tunnel templates have been added to the Wizard that cover a variety of different types of IPsec VPNs. A
list of these templates appears on the first page of the Wizard, which is found by going to VPN > IPsec >
Tunnels.
To view more information about a template, highlight the template and select View.
93
IPsec VPN
Multiple Interfaces
An IPsec policy can now contain multiple source and destination interfaces. This feature is supported for
combinations of IPsec interfaces, physical interfaces, and zones (including those with a combination of physical
and IPsec interfaces).
It is not supported for SSL VPN interfaces.
Mode-Configuration
When IKE Mode-Configuration is enabled, multiple server IPs can be defined in IPsec Phase 1. This mode also
allows IP information to be sent the client if attribute 28681 is requested.
Mode-Configuration is configured through the CLI. An example of a complete configuration is shown below:
config vpn ipsec phase1-interface
edit "vpn-p1"
set type dynamic
set interface "wan1"
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set dpd disable
set dhgrp 2
set xauthexpire on-rekey
set authusrgrp "FG-Group1"
set ipv4-start-ip 10.10.10.10
set ipv4-end-ip 10.10.10.20
set ipv4-dns-server1 1.1.1.1
set ipv4-dns-server2 2.2.2.2
set ipv4-dns-server3 3.3.3.3
set ipv4-wins-server1 4.4.4.4
set ipv4-wins-server2 5.5.5.5
set domain "fgt1c-domain"
set banner "fgt111C-banner"
set backup-gateway "100.100.100.1" "100.100.100.2" "host1.com" "host2"
end
end
Certificates Groups
IKE certificate groups consisting of up to four RSA certificates can now be used in IKE phase 1. Since CA and
local certificates are global, the IKE daemon loads them once for all VDOMss and indexes them into trees based
on subject and public key hash (for CA certificates), or certificate name (for local certificates). Certificates are
linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the
need to keep multiple copies of certificates that could exist in multiple chains.
94
IPsec VPN
Authentication Methods
Three new authentication methods have been implemented for IKE: ECDSA-256, ECDSA-384, ECDSA-521.
In order to support these three methods, the following changes have been made to the CLI:
1. rsa-signature has been renamed to signature for both policy-based and interface-based IPsec VPN.
2. rsa-certificate has been renamed to certificate for both policy-based and interface-based IPsec
VPN.
Syntax
config vpn ipsec {phase1 | phase1-interface}
edit <name>
set xauthtype auto
end
end
95
IPsec VPN
To use this feature, the DHCP proxy must be enabled and a IP set. Up to 8 addresses can be selected for either
IPv4 or IPv6. After the DHCP proxy has been configured, the assign-up-from command is used to select
assign IP address via DHCP.
Syntax
1. Enabling the DHCP proxy and setting an IP range.
config
set
set
set
end
system settings
dhcp-proxy enable
dhcp-server-ip <IP_address>
dhcp6-server-ip <IP_address>
2. Setting the IPsec phase one to assign IP addresses using the DHCP proxy.
config vpn ipsec phase1
edit <id>
set assign-ip-from dhcp
end
end
IP assignment can also come from a locally defined range or via the user group.
Transform Matching
FortiOS 5.2 supports combining multiple encryption, authentication, PRF, and DH transforms in a single IKEv2
proposal, which is used for selecting a transform set when the FortiGate unit is the responder. Each proposal now
holds lists of transforms, instead of having just a single value per transform type. When negotiating, the proposal
iterates over the transform lists to find a match.
Cookie Notification
Upon detecting that the number of half-open IKEv2 SAs is above the threshold value, the VPN dialup server will
require all future SA_INIT requests to include a valid cookie notification payload that the server sends back, in
order to preserve CPU and memory resources.
Syntax
system
set
set
set
end
settings
dhcp-proxy enable
dhcp-server-ip <range>
dhcp6-server-ip <range>
96
IPsec VPN
IP assignment can also come from a locally defined range or via the user group.
Syntax
config vpn ipsec phase1-interface
edit <name>
set mesh-selector-type {disable | subnet | host}
end
end
add-route
The add-route option is now available for all dynamic IPsec phase 1s and phase 2s, for both policy-based and
route-base IPsec VPNs. This allows you to control the addition of a route to a peer destination selector.
This option was previously only available when mode-cfg was enabled in phase 1. Also, in phase 2, a new
option has been added allowing add-route to automatically match the settings in phase 1.
97
IPsec VPN
Syntax
1. Configuring phase 1:
config vpn ipsec {phase1 | phase1-interface}
edit <name>
set type dynamic
set add-route {enable | disable}
end
2. Configuring phase 2:
config vpn ipsec {phase2 | phase2-interface}
edit <name>
set add-route {phase1 | enable | disable}
end
The default Phase1 proposals are: aes128-sha256, aes256-sha256, 3des-sha256, aes128-sha1, aes256-sha1, and
3des-sha1.
The default Phase2 proposals are: aes128-sha1, aes256-sha1, 3des-sha1, aes128-sha256, aes256-sha256, and
3des-sha256.
The default Diffie-Hellman (DH) group for phase1 and phase2 has changed from 5 to 14.
98
IPsec VPN
include group 14 and 5, in that order. You can add and remove other groups and the order they appear in the
configuration is the order in which they are negotiated.
The IKEv1 protocol does not natively provide for DH group negotiation in Aggressive Mode and Quick Mode. As a
result, when multiple DH groups are used with IKEv1 Aggressive Mode or Quick Mode, delays in tunnel
establishment can occur and so it is recommended to continue to configure matching DH groups on both peers
whenever possible.
During negotiation with multiple DH groups, the new operation is as follows:
1. IKEv1 Aggressive Mode Initiator: Since Aggressive Mode includes the KE payload in the first message,
FortiOS must select a group to use to generate the DH public number. FortiOS starts with the first group in the list.
If the negotiation fails due to timeout, it will try the second group, and finally the third. If the third also fails,
FortiOS goes back to the first DH group again, and starts over. Once it finds the correct group and the tunnel is
established, it will continue to use that group for re-keying as long as the VPN connection remains up.
2. IKEv1 Aggressive Mode Responder: If the group proposed by the initiator doesn't match the group proposed
by the responder, the negotiation fails due to no proposal chosen. Since authentication has not been established
the responder cannot send a notify message to the initiator. The initiator will try the next DH group in its
configuration when the negotiation time out occurs, which takes 30 seconds by default. At that point, if the next
DH group is a successful match, the tunnel comes up.
3. IKEv1 Main Mode Initiator: In Main Mode, the SA and KE payloads come in different messages. The SA
parameters, including DH group, are negotiated first in MM1 and MM2, then the KE payloads are exchanged in
the MM3 and MM4 messages. So no change was made for Main Mode.
4. IKEv1 Main Mode Responder: As above, no change for Main Mode.
5. IKEv1 Quick Mode Initiator: Quick Mode has the same problem as Aggressive Mode, in that the SA proposal
and KE payloads arrive in the same message. So unlike Main Mode, the initiator does not know the negotiated
DH group prior to constructing its KE payload. Like with AM, it will start with the first group in the configured DH
group list. If the negotiation times out, or if we receive a No-Proposal-Chosen notify message from the
responder, we will switch to the next group in the list and try again.
6. IKEv1 Quick Mode Responder: Similar to Aggressive Mode, if the initiator's first group doesn't match, the Quick
Mode will fail with a no proposal chosen error. In Quick Mode, you have the benefit of an authenticated IKE SA
by which you can immediately notify the peer of the error. Sending the No-Proposal-Chosen notify to the
initiator allows the initiator to try the next group immediately without waiting for a timeout.
7. IKEv2 SA_INIT/CHILD_SA Initiator: Like Aggressive Mode, in IKEv2 both the SA_INIT and CHILD_SA
exchanges have the SA proposal and KE payload in the same message. However, unlike IKEv1, the IKEv2 RFC
specifies a mechanism to handle this. In IKEv2, if the negotiated DH group does not match the group specified in
the KE payload, the INVALID_KE notify message is sent and the initiator retries the exchange using the DH group
specified in the notify message. Initiator side support for handling the INVALID_KE message has been added.
This code wasn't needed previously, as the IKEv2 CLI allowed only one DH group to be configured. Now that the
CLI restriction has been removed and multiple DH groups can be configured for IKEv2 in the phase1 and phase2
settings, the initiator will handle receipt of INVALID_KE messages as per the IKEv2 RFC. As long as the VPN
connection remains up, the initiator will subsequently re-key using the negotiated group.
8. IKEv2 SA_INIT/CHILD_SA Responder: The responder side of our IKEv2 code already supports handling of
the INVALID_KE message.
99
IPsec VPN
100
SSL VPN
New SSL VPN features include:
l
VPN Settings
The SSL VPN settings page, found at VPN > SSL > Settings, has been reorganized to be more intuitive. The
settings are now found in the following sections:
l
Connection Settings define how users connect and interact with an SSL VPN portal. This section includes Listen
on Interface(s), Idle Logout, and Server Certificate.
Tunnel Mode Client Settings define the settings that clients will receive upon connecting to the VPN. This
section includes Address Range and Allow Endpoint Registration.
Authentication/Portal Mapping allows you to define different portals to different users and groups.
VPN Portal
New options for split tunneling have been added to SSL VPN portals, which are configured by going to VPN >
SSL > Portals, including a routing address and a tunnel mode for IPv6. These options can also be configured in
the CLI, using the command config vpn ssl web portal.
101
SSL VPN
Syntax
config
set
set
set
end
system
buffer
header
format
102
Authentication
New authentication features include:
l
Captive Portal
Authentication Blackouts
Captive Portal
There have been several changes made to authentication using a captive portal. Additional captive portal options
have also been added for wireless networks. For more information, see Captive Portal for WiFi on page 112.
Syntax
In the following example, the LAN interface is configured with external captive portal that has a specified URL
(http://10.6.2.218/?Auth=Success) to redirect clients to after successful authentication.
config system interface
edit "lan"
set security-mode captive-portal
set security-external-web "http://10.6.2.218/portal"
set security-redirect-url "http://10.6.2.218/?Auth=Success"
set security-groups "rug1"
end
103
Authentication
Exempting a Policy
Security policies can now be exempt from captive portals, using the command captive-portal-exempt
enable.
Replacement Messages
The captive portal-specific replacement messages have been removed. Authentication replacement messages
will be used for portals.
104
Authentication
In the web-based manager, the lower limit is restricted if there are existing group members. In order to set a lower number, guest accounts must be removed prior to the limit
being set.
Syntax
config user group
edit guest-group
set group-type guest
set max-accounts [0-1024]
end
Syntax
config user ldap
set search-type nested
end
Syntax
config user setting
set auth-ca-cert <name>
end
105
Authentication
Authentication Blackouts
If five failed logins are made from an IP within one minute, the IP is put on a blackout list. Future logins from this
IP are rejected as long as the IP is on this list. The IP remains on the blackout list for auth-blackout-time seconds.
The amount of time an IP is blacklisted can be configured through the CLI:
Syntax
config user setting
set auth-blackout-time 300
end
Syntax
config user group
edit SSO_Guest_group
set member <names>
end
end
106
Managing Devices
New device management features include:
l
Endpoint Licenses
Client Web Filtering when On-Net: when enabled, web filtering is applied to FortiClient traffic even when it is
protected by a FortiGate unit.
Auto-connect when Off-Net: This option allows the FortiClient to autoconnect to a VPN even when it has an off-net
status.
Client-based Logging when On-Net: when enabled, the FortiClient will continue to log even when its traffic is
flowing through a FortiGate unit.
Endpoint Licenses
New Endpoint licenses are now available in FortiOS 5.2. Information about the status of the current license can
be found in the FortiClient section of the License Information widget.
The following licenses will be available:
l
107
Managing Devices
Because the new licenses are for one year, the activation method has changed. New licenses are purchased
similarly to a FortiGuard service, with no further registration of the license required. The device can then be
registered with the FortiGate unit.
If the device does not have access to Internet, you can download the license key from support site and manually
upload it to your FortiGate. The license will be for that specific device and will have an license expiry date.
While the older licenses from FortiOS 5.0 will still be supported, they will have the following limitations:
l
Windows PC (includes Windows servers and computers but not tablets or phones)
Mac
Linux
Printer
VoIP phones
To improve accuracy, device types are now identified using UIDs instead of MAC addresses.
108
Managing Devices
109
Wireless Networking
New wireless networking features include:
l
FortiAP Management
RADIUS Accounting
FortiAP Management
How FortiAP units are managed by a FortiGate unit has changed in several ways.
Syntax
config wireless-controller wtp
edit <name>
set override-profile enable
end
end
AP Scanning
AP scanning, including rogue AP detection, is now part of WIDS Profiles. It can be found by going to WiFi
Controller > WiFi Network > WIDS Profiles. It can also be configured through the CLI:
Syntax
config wireless-controller wids-profile
edit 0
set ap-scan {enable | disable}
set ap-bgscan-period <interval>
set ap-bgscan-intv <interval>
110
Wireless Networking
set
set
set
set
set
set
end
end
ap-bgscan-duration <interval>
ap-bgscan-idle <interval>
ap-bgscan-rpot-intv <interval>
ap-bgscan-disable-day <day>
ap-fgscan-repot-intv <interval>
rogue-scan {enable | disable}
The console can also now be accessed by going to WiFi Controller > Managed Access Points > Managed
APs and selecting the option Connect to CLI. The console will appear in a pop-up window.
If login-enable is set to default or disable on the FortiAP unit, or the FortiAP is offline, this option
will not appear.
Syntax
1. Enabling split tunnelling for an SSID.
config wireless-controller vap
edit <name>
set split-tunneling enable
end
111
Wireless Networking
end
l
l
Security exempt list names can be added to a captive portal. This option is only available when user groups are
selected as part of the SSID configuration, rather than being a match for groups in the security policy.
URL redirection is available after the disclaimer/authentication screen.
Four types of portals are available: authentication, authentication with disclaimer, disclaimer only, or email
collection. When the mode is email collection or disclaimer only, the options for setting user groups or having an
external captive portal are not available.
Syntax
config wireless-controller vap
edit <name>
set security captive-portal
set portal type {auth | auth+disclaimer | disclaimer | email-collect}
set security-exempt-list <name of list>
end
end
112
Wireless Networking
In order for these widgets to appear, spectrum analysis must first be enabled. This is done by editing the AP
profile used by your FortiAP units and selecting Spectrum Analysis for all applicable radios.
Spectrum analysis can also be enabled in the CLI.
Syntax
config wireless-controller wtp-profile
edit <name>
config <radio>
set spectrum-analysis enable
end
end
end
After spectrum analysis has been enabled, view the Top Wireless Interference widget found in the Wireless
Health Monitor. A chart icon will appear in the Channel column. Selecting this icon will open the new WiFi
charts: Spectrum Analysis and Top Wireless Interference.
The Spectrum Analysis chart shows WiFi signal interference as detected by a particular FortiAP.
The Top Wireless Interference chart shows SSIDs that are interfering with a particular FortiAP unit.
RADIUS Accounting
RADIUS accounting is now supported for wireless networks, allowing RADIUS accounting messages to be sent
that contain a wireless user's name and IP address.
If an accounting server has been enabled for RADIUS, the wireless client information will be sent to it.
Syntax
config wireless-controller wtp-profile
edit {fap221c | fap320c}
config radio-2
set darrp enable
end
end
113
Wireless Networking
Syntax
config wireless-controller wtp-prof
edit wtpprof
set dtls-in-kernel enable
end
end
114
IPv6
New IPv6 features include:
l
RSSO Support
FortiManager Connections
Geographical Database
Syntax
config firewall address6
edit <name>
set type iprange
set start-ip <address>
set end-ip <address>
end
end
Syntax
config firewall policy6
edit <index_int>
set tcp-mss-sender <value>
set tcp-mss-receiver <value>
end
end
RSSO Support
RADIUS Single Sign-On (RSSO) is supported in IPv6 and can be configured in the CLI. Fallthrough for
unauthenticated
Syntax
config firewall policy6
115
IPv6
edit <id>
set rsso enable
set fall-through-unauthenticated enable
end
end
FortiManager Connections
IPv6 can now be used to connect a FortiGate unit to a FortiManager unit.
Geographical Database
An IPv6 geographical database has been added to properly identify the geographical locations of traffic in reports.
116
High Availability
New high availability features include:
l
VRRP Support
Trigger Failover
VRRP Support
Additional features have been added to support Virtual Router Redundancy Protocol (VRRP).
VRRP Groups
A VRRP group includes all the relevant VRRP IDs and tracks the VRRP status in order to force the status of all
group members if a VRRP domain is changed from master to backup.
VRRP groups are configured through the CLI. The VRRP group ID can be between 1 and 65535.
Syntax
config system interface
edit <port>
config vrrp
edit <id>
set vrgrp <id>
end
end
A VRRP column has also been added to the interfaces list in the web-based manager that will show the VRRP
ID, group, and status. This list can be found at System > Network > Interfaces.
117
High Availability
Syntax
config system interface
edit <interface>
config vrrp
edit <id>
set vrdst <ip1> <ip2>
end
end
Trigger Failover
HA failover can now be enabled and disabled using the following CLI commands:
l
diagnose sys ha set-as-master enable: immediately enables the local FortiGate unit as the HA
master.
diagnose sys ha set-as-master disable: immediately disables this mode. Optionally, a time frame
can be added after disable, which will disable the mode at the appointed time. The time format is yyyy-mm-dd
hh:mm:ss.
Syntax
config system ha
set ha-mgmt-interface-gateway6 <IPv6_address>
end
118
Explicit Proxy Policy Table - for explicit web proxy, explicit FTP proxy and WAN optimization policies
Explicit Web Proxy SOCKS services support for TCP and UDP traffic
Explicit Proxy Policy Table - for explicit web proxy, explicit FTP proxy and WAN
optimization policies
Explicit proxy policies now have a dedicated table and creation page, found at Policy & Objects > Policy >
Explicit Proxy. The corresponding CLI command is:
config firewall explicit-proxy-policy
You use explict proxy policies to add policies for the IPv4 and IPv6 explicit web proxy and for the explicit FTP
policy. The first step in creating an explicit proxy policy is to select the proxy type (web or FTP). The options
availabl e then depend on the explicit proxy type.
From the CLI you use the explicit web proxy policy to add WAN optimization tunnel policies. In FortiOS 5.0 you
added WAN optimization tunnel policies by setting the source interface to wanopt. In FortiOS 5.2 you create an
explicit web proxy policy from the CLI and set the proxy type to wanopt. For example:
configure
edit 0
set
set
set
set
set
set
set
next
end
firewall explicit-proxy-policy
proxy wanopt
dstintf internal
srcaddr all
dstaddr server-subnet
action accept
schedule always
service ALL
119
end
The value for <number> can be anything between 1 and the total number of CPU cores in your FortiGate unit.
The default value for <number> is half the number of CPU cores in your FortiGate unit.
client-ip
x-forwarded-for
front-end-https
For each of these headers you can set the action to:
l
You can also configure how the explicit web proxy handles custom headers. The proxy can add or remove custom
headers from requests or responses. If you are adding a header you can specify the content to be included in the
added header.
Create web proxy profiles from the CLI:
config web-proxy profile
edit <name>
set header-client-ip {add | pass | remove}
set header-via-request {add | pass | remove}
set header-via-response {add | pass | remove}
set header-x-forwarded-for {add | pass | remove}
set header-front-end-https {add | pass | remove}
config headers
edit <id>
set action {add-to-request | add-to-response | remove-from-request |
remove-from-response}
set content <string>
set name <name>
end
end
Use the following command to add a web proxy profile to an explicit proxy policy:
config firewall explicit-proxy-policy
edit <id>
set webproxy-profile <name>
end
120
Explicit Web Proxy SOCKS services support for TCP and UDP traffic
You can now configure Web Proxy services to allow UDP traffic as well as TCP traffic to be accepted by the
SOCKS proxy. Previously, the web proxy would only accept TCP SOCKS traffic.
Web proxy services can be configured in the CLI.
Syntax
Use the following command to create a custom service for UDP traffic over the SOCKS proxy:
config firewall service custom
edit <name>
set explicit-proxy enable
set category Web\ Proxy
set protocol SOCKS-UDP
set tcp-portrange 8080-8080
end
end
The option to create a custom service for TCP traffic over the SOCKS proxy has also changed. For example, use
the following command to create a custom service for TCP traffic over the SOCKS proxy:
config firewall service custom
edit <name>
set explicit-proxy enable
set category Web\ Proxy
set protocol SOCKS-TCP
set tcp-portrange 80-80
end
end
121
122
Advanced Routing
New advanced routing features include:
l
Policy Routes
Syntax
config router bgp
config neighbor-group
edit <name>
set ... (same configuration options as config neighbor)
next
config neighbor-range
edit <id>
set prefix <class_ip&net_netmask>
set max-neighbor-num <integer>
set neighbor-group <name>
end
end
Syntax
config ospf-interface
edit ospf1
set interface port1
set network-type broadcast
set dead-interval 1
set hello-multiplier 4
end
123
Advanced Routing
end
Syntax
config router bgp
config neighbor
edit <name>
set remote-as 3
config conditional-advertise
edit <name>
set condition-routemap <name>
set condition-type {exist | non-exist}
end
end
end
end
end
Syntax
config system {settings | virtual-wan-link}
set v4-ecmp-mode source-dest-ip-based
end
Policy Routes
The following options have been added for policy routes:
l
124
Threat Weight
Removing all overlapping fields between the UTM Logs and Traffic Logs, with the exception of the common fields
sessionid, vd, user, and group, and application control critical info, which will be present in both the Traffic
Log and Application log.
Fields have been renamed so that they are the same in all logs.
The action field reflects the Firewall action (accept or deny). This will allow you to see from the traffic logs if the
session was allowed or blocked and whether it was allowed or blocked by the firewall or by a security feature. If it
was a security feature, you will need to look at the UTM logs to determine which feature blocked the traffic.
The field utmaction is set to the most severe actions across all security features. The severity from highest to
lowest is: Block, Reset, Traffic Shape, Allow.
You can now drill-down from a traffic log to its corresponding UTM logs.
extended-utm-log and log options for security profiles have been removed.
Log roll logic have been rewritten so that traffic log file and related utm log files are rolled together. Uploadd will
pack these files together to send to a FortiAnalyzer unit.
An anomaly log category has been added to separate anomaly logs from IPS logs.
125
A new cover page has been added that contains the report name, date, date range, and device name.
The information VPN usage now shows all use, rather than just a top 10 list. This allows a complete list to be shown
that includes all tunnels for Site-to-Site IPsec VPNs and all users for dial-up IPsec VPN tunnels, SSL VPN tunnels,
and SSL VPN web mode. Information on connection time has also been added.
Entries will not be displayed when there is a zero bandwidth/or connection time.
GTP-U Logging
FortiOS 5.2 supports GPRS Tunnelling Protocol User Plane (GTP-U) logging for both forwarded and dropped
packets at the kernel level. FortiGate log entries now contain International Mobile Subscriber Identity (IMSI),
Mobile Subscriber Integrated Services Digital Network-Number (MSISDN), Access Point Name (APN), and
header Tunnel Endpoint Identifier (TEID) if available/applicable.
Three new CLI commands are added to GTP profile for GTP-U logging:
l
Syntax
config firewall gtp
edit gtp_profile
set gtpu-forwarded-log enable
set gtpu-denied-log enable
set gtpu-log-freq 10
end
end
The log frequency value is per number of packets, for example set gtpu-logfreq 10 means the FortiGate unit should have a log entry per 10 packets.
Syntax
config log eventfilter
set gtp enable
126
end
Attackcontext entries longer than 1KB is split in multiple log entries, which share the same
incidentserialno. Attackcontextid will help identify these segment by showing what order they have
in the sequence; for example, <1/3> means this log is the first segment of a log message containing three
segments in total.
127
Syntax
config report setting
set status enable
set report-source {forward-traffic | sniffer-traffic | both}
end
Threat Weight
The 5.0 feature client reputation has been renamed Threat Weight in FortiOS 5.2 and has been moved from
Security Profiles to Log & Report > Log Config > Threat Weight. It can now be configured in the CLI using
the command config log threat-weight.
128
The default is proxy-based, which means the SIP ALG is used. If set to kernel-helper-based, the SIP
session helper is used. If a SIP session is accepted by a firewall policy with a VoIP profile, the session is
processed using the SIP ALG even if default-voip-alg-mode is set to kernel-helper-based.
If a SIP session is accepted by a firewall policy that does not include a VoIP profile:
l
If default-voip-alg-mode is set to proxy-based, SIP traffic is processed by the SIP ALG using the default
VoIP profile.
If default-voip-alg-mode is set to kernel-helper-based, SIP traffic is processed by the SIP session
helper. If the SIP session help has been removed, then no SIP processing takes place.
129
Syntax
config firewall vip
edit <name>
set type server-load-balance
set server-type {http | https}
set http-ip-header enable
set http-ip-header-name <name>
end
end
Syntax
config system global
set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high}
end
130
RFC List
The following RFCs are supported by the new features in FortiOS 5.2:
Number
Title
791
Internet Protocol
1349
1925
2516
4754
IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm
(ECDSA)
4787
5996
131
Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.